Groups with Complex Modulus*

Home , Gaussian integer

Int. J. Communications, Network and System Sciences, 2011, 4, 287-296 doi:10.4236/ijcns.2011.45033 Published Online May 2011 (http://www.SciRP.org/journal/ijcns)

Protection of Sensitive Messages Based on Quadratic Roots of Gaussians: Groups with Complex Modulus*

Boris Verkhovsky Computer Science Department, New Jersey Institute of Technology, University Heights, Newark, USA E-mail: [email protected] Received April 5, 2011; revised May 3, 2011; accepted May 20, 2011

Abstract

This paper considers three algorithms for the extraction of square roots of complex integers {called Gaus- sians} using arithmetic based on complex modulus p + iq. These algorithms are almost twice as fast as the analogous algorithms extracting square roots of either real or complex integers in arithmetic based on modulus p, where p is a real prime. A cryptographic system based on these algorithms is provided in this paper. A procedure reducing the computational complexity is described as well. Main results are explained in several numeric illustrations.

Keywords: Complex Modulus; Computational Efficiency; Cryptographic Algorithm; Digital Isotopes; Multiplicative Control Parameter; Octadic Roots, Quartic Roots, Rabin Algorithm, Reduction of Complexity, Resolventa, Secure Communication, Square Roots

1. Introduction and Problem Statement Gaussians, and let Gi:1 4  1,4 be the Gaussian modulus. Inside each square there is a number of Gaus- The concept of complex modulus was introduced by C. F. sian integers; plus every vertex of each square is also a Gauss [1]. The set of complex integers is an infinite sys- Gaussian integer. In order to avoid multiple counting of tem of equidistant points located on parallel straight lines, the same vertex, we consider that only the left-most bot- such that the infinite plane is decomposable into infi- tom vertex of each square belongs to that square [1]. For nitely many squares. Analogously, every integer that is more insights and graphics see [2]. divisible by a complex integer m = a + bi forms infini- This paper is a logical continuation of a recently pub- tely many squares, with sides equal to ab22 . lished paper [3], which considered a cryptographic scheme based on complex integers modulo real semi-prime pq. 1.1. Complex Moduli The above mentioned paper describes an extractor of quadratic roots from complex integers called Gaussians. A slightly different approach is considered in [4]. Several Let’s denote ab,: a bi . Associates of Gpq:,   general ideas for computation of a square root in modular are –G, iG and –iG; they are the vertices of a square arithmetic are provided in [5-7]. where Gpq, ; iG 0, 1p , q q, p ;       This paper considers arithmetic based on complex in- iG 0, 1 p,, q q  p .   tegers with Gaussian modulus. As demonstrated below, To understand the congruencies, let’s consider a sys- the extraction of square roots in such arithmetic requires tem of integer Cartesian coordinates. The squares on this a smaller number of basic operations. As a result, the system of coordinates are inclined to the former squares described cryptographic system is almost twice faster if neither of integers a, b is equal to zero [1]. Then the than the analogous systems in [3,4]. associates of the modulus pq, are rotations of “vec-  Consider quadratic equation tor” pq,  on 90 degrees. Let’s consider the plane of complex numbers and as an example, the complex prime x,,modycd2  pq,, (1) number 1, 4 : 1 4i [2]. Let the left-most bottom point of the mesh be the origin of the coordinate system for where modulus Gpq:,   is a Gaussian prime; and let 22 *Dedicated to the memory of Samuel A. Verkhovsky. Npqpq:,   . (2)

1.2. General Properties lution for w, it implies that

uw,1,01    ,0,p q mod G. (8) Proposition 1: Gaussian pq,  is a prime if and only  if its norm N is a real prime [1]. Hence, if a root  x, y is known, then another root of Remark 1: Since pq,,  qp, without loss c,d is uw, x,y mo d. G of generality we assume that, if pq,  is prime, then p Quartic roots: There are four quartic roots of 1, 0  , 4 is odd and q is even {unless it is stated otherwise}. each satisfying qk  1, 0  : Proposition 2: If norm of  pq,  is a prime (2), then qq (1,0); ( 1,0); q 0,1 ;q  0,  1  ; (9) for every pq,, N 14 is an integer. 12 3 4 Proof: Let pk:2 1 and q:2 r. Then (2) implies where that 22 qq3,4 2mod Gqq ; 2 1 1,0 mod G . 2 Nkk14  1 r. Q.E.D. (3) 2.2. Quadratic Root Extractor (QRE-1) Proposition 3 {cyclic identity}: If gcdab , , pq ,   1,0 and G is a prime, then the following identity holds: Step 1.1: Compute ab,mod,1,N 1  pq  0. (4) Nm:;pq22 :14;NzN 38 (10) Remark 2: More details about identity (4) are provided in the Appendix in Proposition 3.A. Step 2.1: if N is not a prime, then QRE-1 algorithm is Proposition 4 {Modular multiplicative inverse}: if not applicable, na ; Remark 4: gcdab , , pq , 1, 0, then  pq1,  1, 0 mod G; (11) ab,,mo12  abN d G. (5) Step 3.1: Compute Remark 3: Yet, more computationally-efficient is to m solve an appropriate Diophantine equation. However, E:, cdmod G; (12) this is beyond the scope of this paper. Step 4.1: if E  0, 1 , then cd,  is Gaussian qua- Definition 1: Gaussian x, y is called a quadratic  dratic non-residue (GQNR }, i.e. its squ are root does not root of cd, modulo G if x, y and cd, satisfy     exist; Equation (1); we denote it as Step 5.1: if E  1, 0  , then x,:ycd ,modG. (6) N 38   x,:yc ,d  m od G; (13)

2. Quadratic Root Extraction Where Step 6.1: if E  1, 0  , then N  5mod8 R : 0, 1 modGG ; RE  1 mod ; (14)

z Proposition 5: If  pq,  is prime and N  5mod8  , x,:yRcdG  , mod; (15) then mN:14 is odd. Step 7.1 {2nd square root}: Proof: Notice that q mod 4 2 , otherwise (3) implies that N  1mod8. Q.E.D. tv,:  p 1,, q xymodG (11). (16)

2.1. Quadratic and Quartic Roots of 1, 0 2.3. Validation of Algorithm Modulo pq, Proposition 6: Suppose Consider a quadratic root uw,  of 1, 0mo d pq ,  : a)  pq,  is a prime and q  2mod4; (17) uw,:  1,0mod, pq . N 14 Then uw,2 u22 w,21 uw ,0mod pq,. This b) zN38; Ecd:,  md o G; (18) 2 equation holds if either w = 0 and u 1modG; or if 1 u = 0 and c) REEGmod if  1, 0 or  1,0 ; (19) w2 1modG . (7) then z Since the last equation does not have a real integer so- cd,,mo R  cdd G . (20)

Proof: First of all, (19) implies that Table 1. Quadratic root extraction and verification; N mod 8 = 5 . ER2 mod G   1,0 . (21) Yet, cd,  (3, 8) (4, 8) (6, 7) (8, −2) (9, 2) (10, 5)

N 34 m cd,R22 cd,,, cdN 14 R cd ER 2cd, (1, 0) (10, −2) (−1, 0) (−1, 0) (3, 9) (1, 0) .(22) z cd, (9, −2) QNR (5, 3) (11, 4) QNR (2, 2)  cd , modG cd, z R (9, −2) na (7, 2) (7, −1) na (2, 2) Therefore, (21) and (22) imply equation x, y2 (3, 8) *** (6, 7) (8, −2) *** (10, 5) cd,,m2z R2  cdod G , (23)    which itself implies that (20) is correct. Q.E.D. mN:1  8 d isand od N  716 is an integer. Proof: Since p = 8w + 3 and q = 4r, therefor e 22 3. Criterion of Gaussian Quadratic Nwwr 16 4 3  9 (2). Hence 16N  7 . If we assume that m is even; then Residuosity Where N  5mod8  Nm7 16 12. (2 7)

Proposition 7: Gaussian cd, has a quadratic root Thus, if m 2 is integer, then  N  716 is not (27). modulo Gaussian prime pq, only if This contradiction proves Proposition 8. Proposition 9 {criterion of Gaussian quadratic residu- N 14 cd,md1,0o G. (24) osity}: Let Example 1: Consider p91,q 6; N  p,8317q , N 18 which is a prime; hence 91, 6 are Gaussian primes. Ecd:,  mod G; (28) Compute mN: 1 4/ 2079; zN:3 8  1040 ; Let cd,81,71 . Since and gcdcd , , G  1 . 81,71m 96,85 1,0 mod  91, 6  (11), therefore, Then cd,  has a quadratic root modulo Gaussian prime G if xy, 81,71  81,71 1040 0,1 (25) E:1 ,0;0  ,11;  i; {see the algorithm below}.  57,75 mod 91, 6 . (29) Verification: Indeed, Proposition 10: Suppose 2 57,75 mod 91, 6 81,71. (26) a) p is odd and q  0mod4  ; (30)

4. Numeric Illustration b) zN 716 ; (31) c) Resolventa R satisfies the following conditions: Consider p = 10, q = −3. Then N = 109; m = 27; z = 14. m  In Table 1 cd, are the quartic roots q of unity 1,0 modGE if  1,0 ; (32) k  (9), i.e., RGE0, 1 mod if   1,0 ; (33)  R:q1 1,0; q2  12,7 1,0 ;q3  3,9 0,  1 ; 3 .  EGEmod if  0, 1 ; (34) qp 10, 2 0,1 mod ,q 4  Then Step-by-step process of extraction of the square roots cd,,moz R  cdd G . (35) and criteria of quadratic residuosity are illustrated for several values of cd,  . Proof: Notice that in (32)-(34) RE 1 mod G. If (35) is correct, then it implies that

5. Quadratic Root Ex traction (QRE-2) 2z cd,, R2   cd modG. (36) Where N  9 mod 16 On the other hand, 5.1. Basic Properties cd,,,m21zN R22  cd cd 8 R odG; (37)  Proposition 8: if p  3mod8 and q  0mod4 , then therefore (28), (32)-(34) imply that

ER2 mod p , q  1. (38) Example 2: Let G = (8, −3); then 22,4mod8,31     and 25,1mod8,3 . Hence (36) is correct. In other words, it confirms as- Hence i  1,1 5,1 2, 4 2, 3  mod  8, 3  [8]. sumption (35). Q.E.D. 8 Indeed, 2,3 1,0 mod  8, 3  . 5.2. Octadic Roots of 1, 0 Modulo pq, Indirect computation: In general, observe that if square root of 2 does not exist a nd for a Gaussian ab,  Consider roots of 8th power (called the octadic roots) of holds ineq uality unity; there are eight such roots: for k = 1, ···, 8 F: ab, N 18  mod G 1,;0,10 , (44) eee:1,0:8 1,0;:0,1; k  1,2 3,4  then (39) N 18 ee : 0,1 ; : 0, 1 ab, mod G i or i . (45) 5,6 7,8      Then Although in this case we do not directly compute 22 0,1mod G , it is obvious that eee213,41, 0 ;   1, 0 e2 ; . (40) 2 22 if FGmod  0,1 (44), then eee5,60,1 3 ; 7,8   0, 1 e 4 iFG0,1 mod ; (46) Therefore, the resolventa R must satisfy the following equations for k = 1, 2, ···, 8: otherwise 1 Rekkmod G 1,0 or R e  mod G. (41) iF0, 1 0, 1 0, 1 mod G. (47) 1 Thus, Re:kk e if k 1,2; 5.5. Algorithm for Quadratic Root Extraction Re:132 e eee  if k3,4; (42) kkkkk and Step 1.2: Np:; 22qz mN:18;   N716 (48) 1742 2 0, 1ek if k 5,6 R: ek e k eee kkk  ee kk  . 0,1ekk if  7,8 Step 2.2: if N is not a prime, then the QRE-2 algo- (43) rithm is not ap plicable; Step 3.2: Find a Gaussian ab, , for which 5.3. Computation of i  0,1 Modulo  pq,  Fab:,m mod1,0;0,1 G  ; (49) Step 4.2: if F 2  0,1 , then RF:o im d G; If pq, is fixed and N mod 16 9 , then this root if F 2  0, 1 , then RFiG:0  ,1 m od; must be pre-computed in advance. Step 5.2: Compute Direct computation: Since Ecd:, m mod G; (50) iicos π 2sinπ 2 Step 6.2: if E  1, 0 ; 0, 1  (22), then square  cos π 4sini π 41,122, root of cd,  does not exist; Step 7.2: if E = (1,0), then x,:ycdG ,z mod; it is necessary to compute square root of two and multi- goto Step 10.2; plicative inverse of two modulo G. Step 8.2: if E  1, 0  , then z x,:yc ,d0d,1 mo G; goto Step 10.2; 5.4. Multiplicative Inverse of 2 Modulo pq,     Step 9.2: if E  0,1 , then

z If p is odd and q is even, then x,:ycd ,0,1 R modG; goto Step 10.2; (51) 1 212,2mod,pq pq; else z if q is odd and p is even, then xy,: cd, R modG; (52) 212,2mod,1 qp pq. Step 10.2 {2nd square root}: Otherwise the modular inverse of 2 does not exist. tv,:  p 1,,mod q xy  G. (53)

6. Second Numeric Illustration qGj4 1, 0 mod , 1, 2, 3, 4. (56) j   

Consider pq,8,3, then N = 73, i.e., Definition 4: ek is a octadic root of 1, 0  if 73 9 mod 16 ; mz9; 5; (54) 8 eGkk 1, 0 mod , 1, 2, , 8. (57) Octadic roots of 1, 0 : Definition 5: sl is a sedonic root of 1, 0  if 2 e1 10,5 1,0 ; 16 sGll 1, 0 mod , 1, 2, ,16. (58)

e2 10,5 1,0 mod  8, 3; 7.2. Resolventa of Quadratic Root Extractor 2 8, 210,5 ; e3   8, 2 0,1;

2 Proposition 12: Suppose 3, 7 10, 5  ; e4 3, 7 0, 1; a) pq7 mod 16 and  0 mod 8, (59) 2 2,3 8, 2  ; e5  2,3   0,1 ; b) Lc:22 dz ;  N 15 32; m: N 1 16 (60) 2 9, 2 8, 2  ; e  9, 2   0,1 ; m 6 c) Let Ecd:,  mod,  pq; and resolventa R satis- 2 fies the following conditions: 5, 1 3, 7 ; e7  5, 1 0,  1; 1 2 Ru:m ii uod GEu if i; (61) 6, 6 3,7 ; e8 6, 6  0, 1. 13 The following nine values of cd,  in Table 2 illus- Rq:mj qj od GEq if j ; (62) trate various cases of QRE-2 algorithm. 17 Re:mk ekkod GEe if ; (63) 7. Quadratic Root Extraction (QRE-3) Rs:m 115 sod GEs if  ; (64) Where N  17 mod 32 ll l then z 7.1. Basic Property and Roots of 1, 0 cd,,mo R  cdd G. (65) Proof: Let Proposition 11: Analogously it can be proved th at if z p 7 mod 16 and q  0mod8, then  N 15 32 x,,ycdRcdG:m   ,od. (66) is integer and mN:116 is odd. Therefore Proof: Let pk16 7 and qr 8 ; then cd,, N 15 16 R22 cd ERmod G . (67) Nkk32 8 7 2 49 , i.e., 32N  15 .    

Notice that Nm15 321 2 . On the other hand, If Eu i , then if m is even, th en m 12 is not an integer, which 222 ER E u 1, 0 mod G; (68) implies that N 15 32 is not an int eger. Q.E.D. i

Definition 2: ui is a square root of 1, 0 if if Eq j , then 2 244 uGi 1, 0 mod  , i1, 2. (55) ER E q j 1, 0 mod G; (69)

Definition 3: q j is a quartic root of 1, 0 if if Ee k , then

Table 2. Quad ratic r oot extractor where N  9 mod 16.

cd, (1, 1) (3, −1) (3, 4) (4, 3) (5, 1) (5, 5) (7, −1) (8, 5) (10, 3) cd, m (2, 3) (0, 1) (0, −1) (0, −1) (1, 0) (0, 1) (9, 2) (8, −2) (−1, 0) cd, z na (8, 5) (3, 6) (5, 7) (1, 2) (8, 1) na (3, −1) (9, 19) cd, z R na (4, 5) (9, 4) (4, 1) (1, 2) (5, 4) na (2, 2) (7, 6) x, y2 na (3, −1) (3, 4) (4, 3) (5, 1) (5, 5) na (8, 5) (10, 3)

NB1: If Ee  58,, e , then QRE-2 algorithm is not applicable, since the square roots of ee58,, do not exist.

288 the extra ctor. The se roots co rrespond to ER E ek 1, 0 mod G ; (70) m 16 if Es l , then E:gh,  1,0modG, ER21616 E s 1, 0 mod G . (71) l   where m = 7; G  pq,8,  7 and Gaussians  gh,:  6,3 ;10,1;11   ,3;5, 4 . 7.3. Sed onic Roots of 1, 0 Modulo G The remaining four sedonic roots listed in (73) are equivalent to negative values of roots in (74): Unity 1, 0 has two square roots 1, 0 and 1, 0  ; 10,5   5, 4 ; 12,  2 3,3 ; 10 ,  2 four quartic r oots 1,0; 1,0;0,1;0, 1; eight . 5,3 ; 5,  2  10,3 octadic roots 1,0; 1,0;0,1 ; 0,1; ee5678 , ,ee ,    and sixteen sedonic roots  , 1, 0 ; 1, 0 ; 0, 1 ; 0,1 ,e5678910 , eeess , , , , , ,,s 1516 s 8. Cryptographic Algorithm where Step 1.3 {System design}: Every user (Alice, Bob,…) e5,6  0,1 , e7,8 0,  1 and (72) selects a pair of Gaussian primes pq, and rs,  as

s9,10,11,12   0,1 , s13,14,15,16  0,  1 . her/his private keys, and computes np:, qrs , as her/his public key; she/he pre-computes Np22q, m,

z and R; 7.4. Third Numeric Illustration Step 2.3 {Generalized Chinese remainder Theorem

modulo composite Gaussian n}: Each user pre-computes Consider N = 113; pq,8,7. Then   his/her parameters of CRT: mN:1167; zN:15324. In Table 3 below 1, 0 14,1; 0,1 8, 6  ; M :,mod,;pq 11  rs W:,m  rs od,pq . (75) 0, 1 (7,7) mod 8,  7 ; 0, 1 6,5 ;    Step 3.3 {Encryption by sender (Alice)}: Alice repre- 0, 1 9, 4 ; 0,1  3, 1 ; sents the plaintext as an array of Gaussians and inserts digital isotopes into every Gaussian ab, [3]; 0,1 12, 2mo d  8, 7 ;    Step 4.3: Using Bob’s public key n, she computes ciphertext 0,  1 ; (73) 2 Cabn:,mod  ; (76) 10,5;12,2;10,2;5,2 mod8,7 and transmits C to receiver (Bob) via open channels of a 0, 1 communication network; . (74) Step 5.3 {Decryption by receiver (Bob)}: He com- 5,4;3,3;5,3;10,3 mod8,7  putes square roots of C mod  pq,  and modrs ,  , In (74) there are four sedonic roots of (1,0) that must where  pq,  and rs,  are Bob’s private keys; be pre-computed on the design stage of the QRE-3 algo- Step 6.3: Using the CRT and his pre-computed M and rithm. Although this is a non-deterministic process, each W (75), Bob computes all quadratic roots of ciphertext C; of these roots must be computed only once prior to using Step 7.3: Bob recovers the initial plaintext {by select-

Table 3. Binary tree of sedonic roots of 1, 0 where modulus G  8, 7 .

gh, (6, 3) * (10, 1) * * (11, 3) * (5, 4) *

E  16 1, 0 (5, −4) (10, 5) (3, 3) (12, −2) * (5, 3) (10, −2) (10, 3) (5, −2)

E 2  8 1, 0 * (6, 5) (9, −4) * * * (3, −1) (12, 2) *

E 4  4 1, 0 * * (7, 7) * * * (8, −6) * *

E8  1, 0 * * * * (−1, 0) * * * *

E16 * * * * (1, 0) * * * *

NB2: For the sake of brevity, only 1/2 of all roots are listed in every row of Table 3; all remaining roots are listed in the rows below. For instance, 8 1,0 6,5;9,4;3,1;12,2; and  7,7;8,6;  and  1,0;  and 1,0 .

Table 4. Residues, a pplicable squ are root e xtractors a nd example s of correspon ding N.

N mod 32 5 9 13 17 21 25 29

QRE QRE-1 QRE-2 QRE-1 QRE-3 QRE-1 QRE-2 QRE-1

N1 260773 692969 432589 386641 612373 525913 906557

pq, (113, 498) (212, 805) (258, 605) (375, 496) (522, 583) (157, 708) (421, 854)

N2 812101 249257 360781 676337 159157 405529 750077

pq, (351, 8 30) (16, 49 9) (275, 53 4) (464, 67 9) (174, 35 9) (48, 63 5) (11, 86 6) ing the quad ratic root of C that has digital i sotopes [9]}. N  1m od32 . Yet, most of the moduli in the latter This algorithm is a generalizatio n of the Rabin crypto- case can still be covered if we consid er QRE algorithms, graphic algori thm [10], whic h employs th e square root where the primes N  33mod 64 ; N  65 mod 128 ; algorithm fo r encryption and d ecryption o f real integers and in general, for integer t  5 the algorithm s de- modulo semi-prime npq , where p and q are primes. scribed above can be generalized for the cases where

tt1 9. Reduction of Computational Complexity N 21mod2  , (82) and the even component in the corresponding modulus In Step 3.1 (12) and Step 4.1 (13), two exponentiations  pq,  is divisible by 2t 1 . are performed to compute cd,  to the powers m and z respectively; these operations are the most time-con- 11. Conclusion and Acknowledgements suming. However, observe that th ere is a simple linear rela- Three algorithms which extract square roots of Gaussians tionship between m and z: in arithmetic, based on Gaussian modulo reduction, are 21zm 1  N  54 . (77) considered and analyzed in this paper. Several numeric illustrations provide further explanation of these algo- This implies that it is sufficient to execute only one rithms. A public key e ncryption/ d ecr yp tion protocol based exponentiation. Indeed, we initially compute on this arithmetic is described in the paper. This crypto-

z1 graphic protocol is almost twice as fast as the analogous A1 :, cd mod G; {one exponentiation}; (78) protocols published by the author of this paper in [3,4]. then I appreciate S. Medicherla, S. Sadik and B. Saraswat for assistance in numeric illustrations and my gratitude to AA:,2 mod G cd2z1 ; {one squaring}; (79) J. Jon es, A. Koval, M. Linderman, R. Rubino and 21   anonymous reviewers and the typesetter for their sugges- after that tions that improved this paper.

A:,, A cd  cd m ; {one multiplication}; (80) 32 12. References

z [1] C. F. Gauss, “Theoria Residuorum Biquadraticorum,” and finally A41:,, A cd  cd ; {one multiplica-   2nd Edition, Chelsea, New York, 1965, pp. 534-586. tion}. (81) [2] M. Kirsch, “Tutorial on Gaussian Arithmetic Based on Complex Modulus,” 2008. 10. Applicability of QRE Algorithms http://wlym.com/~animations/ceres/index.html [3] B. Verkhovsky, “Information Protection Based on Ex- Consider AN: mod32 , where N are primes, which can traction of Square Roots of Gaussian Integers,” Interna- be represented as a sum of two integer squares. For such N tional Journal of Communications, Network and System the residues are equal A :  1, 5, 9,13,17, 21, 25 and 29. Sciences, Vol. 4, No. 3, 2011, pp. 133-138. Table 4 above indicates which algorithm is applicable doi:10.4236/ijcns.2011.43016 for each value of residue A. [4] B. Verkhovsky and A. Koval, “Cryptosystem Based on Extraction of Square Roots of Complex Integers,” In: S. Therefore, the three algorithms provided in this paper Latifi, Ed., Proceedings of 5th International Conference cover all cases of prime moduli with the exception of on Information Technology: New Generations, Las Vegas,

7-9 April 2008, pp. 1190-1191. plex Variables and Applications,” 3rd Edition, McGraw [5] E. Bach and J. Shallit, “Efficient Algorithm,” Algorithmic Hill, New York, 1976. Number Theory, Vol. 1, MIT Press, Cambridge, MA, [9] B. Verkhovsky, “Cubic Root Extractors of Gaussian In- 1996. tegers and Their Application in Fast Encryption for Time-Constrained Secure Communication,” International [6] R. Crandall and C. Pomerance, “Prime Numbers: A com- Journal of Communications, Network and System Sci- putational Perspective,” Springer, New York, 2001. ences, Vol. 4, No. 4, 2011, pp. 197-204. [7] R. Schoof, “Elliptic Curves over Finite Fields and the doi:10.4236/ijcns.2011.44024 Computation of Square Roots Mod p,” Mathematics of [10] M. Rabin, “Digitized Signatures and Public-Key Func- Computation, Vol. 44, No. 170, 1985, pp. 483-494. tions as Intractable as Factorization,” MIT/LCS Technical [8] R. V. Churchill, J. W. Brown and R. F. Verhey, “Com- Report, TR-212, 1979.

Appendix where 1 n2 /4 A1. Classification of Roots of 1, 0 Modulo Rcd ,mod, n1. (A.12) pq,  Proof: First of all, if Nn 2 1 is a prime integer, then There are various types of unary roots: n is even. Therefore (A.10) implies that n2 4 and Definitions and notations: n2  48 are integers. Then (A.11) and (A.12) imply that Spq11:1,0mod,  s1 ,s12; (A.1) 2 242 n where xy,,,,m R  cd cd cdod  n,1. (A.13) Ppq:1,0mod(,)  p (A.2) 11 1 Since2 the cyclic identity (4) implies that cd,1,0mod,n   n1 , then potentially is the set of principal square roots of (1,0) of the first 2 level. Then cd,mod,11,0;0,1;0,1.n 4  n    Ss21:mod,,k  pqk 1,2; (A.3) (A.14) where Therefore,  n2 4 Ppp21:m12 k od pqk,; 1,2; (A.4) 1, 0 if cd , 1, 0 ;   is the set of principal square roots of (1,0) of the second  n2 4 0,1 if cd ,   1,0 ; level. R   2 (A.15) In general, 0,1 if cd ,n 4  0, 1 ;  Ss:mod  p,q; (A.5)  n2 4 iik1,  0,1 0,1 if cd , 0,1 . where Since 0,1  1,1 2 2 modn , 1  {see Subsec- Pp:mod, pq (A.6) iik1,  tions 5.3}, then R does not exist if 2 does not exist is the set of principal square roots of (1,0) of the i-th [1,6]. Therefore cd,  is the Gaussian QNR [3]. For level. more details see (32)-(34), (A.11), (A.12), Subsection 5.4 and eight examples in Table A1. A2. Criterion of Quadratic Residuosity and Remark A1: Here 1, 9 and 10, 0 are quartic General Algorithm roots of 1, 0  modulo 10, 1 . Indeed,

q3 10,0  0 ,1 mod 10, 1 ; Proposition 1.A: Let N mod 2kk 21 1 . q 1, 90,  1 mod 10, 1 ; (9) If and only if 4       2 k1 2 N 12 qq3210,0  1,0mod  10, 1  ; Ecd:, mod GSk 1 , (A.7) 2 2 qq421,9  1, 0 10, 9  . then cd,  has a square root. In this case RE:mo 1 dG; (A.8) A4. Special Cyclic Identity and kk1 Proposition 3.A: If Npq:,  is prime, then xy,  Rc ,dd N 212mo G. (A.9) N 1 . (A.16) qp,1,0mod,  pq A3. Quadratic Extractor Modulo n,1  Remark A2: Although  pq,,   qp , identity (A.16)

holds because  pq,  and qp,  are co-prime. Indeed, Proposition 2.A: Let Nn ,1 be a prime; assumption that  pq,,uw q ,mod, p  pq , where NNmod 4 1, but mod8 1. (A.10) both u and w are integers, implies that If the norm of cd,  is co-prime with N, then square upqN  and wqpN   mod pq , . (A.17) root x, y of cd,  is equal However, (A.17) is impossible since the inverse of N n2 48 xy,,mod R  cd n,1; (A.11) m odulo  pq,  does not exi s t.

Table A1. {Quadratic root extraction where N mod 4 1 and N mod 8 1 }: n,     ; mn:222 5; zm+:12  .

cd, (2,0) (3,2) (4,8) (6,7) (7,4) (9,2) (9,9) (10,1)

2 cd, n/2 (0, −1) (−1, 0) (1, 0) (−1, 0) (−1, 0) (0, 1) (0, 1) (−1, 0)

z cd, GQNR (9, 4) (6, 3) (6, 9) (5, 8) GQNR GQNR (9, 0) R na ±(10, 0) (1, 0) ±(1, 9) ±(10, 0) na na ±(1, 9)

z xy,, cd R na ±(6, 8) ±(6, 3) ±(1, 5) ±(2, 4) na na ±(10, 8)

2 x, y *** (3, 2) (4, 8) (6, 7) (7, 4) *** *** (10, 1)

Example 1.A: 4,1028 mod  5, 2 1,0, although i.e., x  yn1; xy  r. Hence gcd 4,10 , 5, 2 29 1. xnr 12; y  nr12. (A.22) Corollary 1A: If gcdst , , pq , 1, 0 , then   Therefore, (A.20) and (A.22) imply N 1 s,,tqp  1,0mod,pq (A.18) 111     rn,, rn  nr 1,11,1 nr   Proposition 4.A: If n and r in modulus nr, have 1   rnnr,1,1 nr nr 2 different parities, then multiplicative inverse of rn, modulo  n, r exists and equals 1,0 mod nr ,  . Q.E.D. rn, 1 (A.23) (A.19) Example 2.A: Let n = 10, r = 3. Then 1 nr nr 1, nr 1  2 mod nr ,  . 3,10 1  71  4,  7 2,1 4,  7 8, 3. Proof: First of all, Indeed, 3,10 8, 3  1, 0 mod 10, 3. rn,1 n r,1m od, n  r . (A.20) Corollary 2A: If n and r in modulus nr,  have different parities and there exists multiplicative inverse of Now let’s find integers x and y such that ab,  , then multiplicative inverse of rn,,mod,ab  nr also exists. 1,1x ,ynrn 1, 0 1,  mod  , r  (A.21)